Get-HandsOn : How we reviewed the codebase of Multi-million dollar Azure and IoT Enterprise Application
Hi! Welcome to the hands-on lab.
Are you having the nightmare of reviewing and maintaining a large Enterprise Application code base ?
In this lab we are going to see 4 steps that can help us deliver code with good quality, consistency and reduce redundant manual effort during development.
The 4 steps are :
-
Leveraging the on-the-fly code analysis capability of Roslyn to detect vulnerabilitis while developing right in your IDE and further leverage its code-generation capability of Roslyn to inject custom code and documentation and saved a lot of development effort!
-
Integrating static code analyzers in CI/CD pipeline
-
Leveraging Azure Automation with run books to report compliance and auto-fix resources as per custom rules
-
Leveraging Azure Monitor, Azure Advisor, Azure Security to monitor the resources in action.
Solution : https://github.com/saranyaravichander/ReadyLab-Sample-code
- Open the solution "Quickstarts.sln" on your desktop, in Visual Studio
- Build the solution
- Open App.config in the path Quickstarts/ConfigurationUpdater/
- Under appsettings ,update the value of "aliasOrUniquevalue" with your alias or a unique value < add key="aliasOrUniquevalue" value="xxxx"/>
- Build and execute the ConfigurationUpdater project. This will update the names of the resources in ARM template.
- Open the containing folder of the "Quickstarts.sln"
- Navigate to CustomAnalyzers>Analyser VSIXs Folder
- Double click on the AttributeAnalyzer.vsix
- This would open the VSIX Installer, Selected the Visual Studio 2017 and click Install
- Please close the VSIX Installer dialog box and restart your instance of Visual Studio
- In Visual Studio go to the Tools>Extension and Updates on the navigation bar at the top
- You would see the the AttributeInstaller installed
- Open the Quickstarts.sln in the Visual Studio instance
- Open the file SimulatedDevice.cs
- Go to the SendDeviceToCloudMessagesAsync() Method, you would see a green warning indication for the method
- Hover over it and you would see the message "Necessery or its Alternate Attribute is missing"
- You would also see a small yellow bulb, Click the arrow button. You would see the message "Add required Attributes"
- Clicking this would add the necessary Attribute to the method. Resolve the necessary namespaces.
- Observe the session as the instructor demonstrates integrating code analysers in DevOps pipeline. https://docs.microsoft.com/en-us/azure/devops/articles/security-validation-cicd-pipeline?view=vsts
- Deploy the ARM deployment project Quickstarts/ProvisioningProject
- If asked for a resource group name, enter "quickstarts"
- Using Azure portal, check if resources are deployed
- Once resources are deployed, create a Azure automation account on the Azure portal (+Create a resource -> Management tools -> Automation)
- Once the automation account us created, on the left menu pane of the resource, click on 'runbooks'
- Click on '+ Create a runbook'
- Enter the 'Name' as 'Naming convention check'
- Select and 'Runbook Type' as PowerShell
- Click on 'Edit' once the runbook is created
- Copy the PowerShell code in 'Quickstarts/ProvisioningProject/AutomationRunbooks/ReportNamingConvention.ps1' and paste in the runbook editor.
- Click on 'Save'. Once Saved click on 'Test Pane'
- Click on 'Start' to test the runbook.
- The Runbook will report, if any resources have been created without following naming conventions
- If you do not see any violations reported, create a storage with a name that does not start with 'storage-'. On running, the runbook will report the storage name in such case.
- Observe as the instructor shows you the issues that can be monitored using Azure Advisor and Azure Security Center